F5 BIG-IP Access Policy Manager (APM) - Idp integration - Cisco vManage
Introduction
Cisco vManage allows administrators to configure Single Sign-on through Idp (Identity Provider) for users (administrators) authentication.
Integrating with F5 BIG-IP APM as Idp, we are able to use a wide range of authentication methods and Multi-Factor Authenticaiton techniques to enhance admins secure access.
Below are the main parts:
1- Identity Provider (Idp): In our case, F5 acts as Idp that integrate with different authentication services with MFA if required.
2- Service Provider (SP): In our case, Cisco vManage.
3- Users: Whether admins, guests or operator level users, they are the one initiating the access and providing the credentials.
Lab setup
Below is the lab setup used in our test,
- Cisco vManage acting as the service provider, with the below notes,
- Organization name is configured under Administrator > Settings.
-
- Idp enabled and download the SAML service provider metadata.
- F5 BIG-IP APM acting as Idp and as a simple test we are using localdb on APM, but in production environment it's recommended to use other options like Active Directory (AD).
- Configure Idp settings.
- Import Cisco vManage metadata to create SP connector.
- Create SAML resource that will be used in the policy.
- Create Virtual Server with the access policy related to SAML.
Note, It's doable to add MFA and different authentication schemes.
F5 BIG-IP APM configurations
At F5 BIG-IP APM side, we need to configure the below elements,
- Configuer Access Policy and assign it to virtual server.
- Logon page, Authentication.
-
- Variable assign to fetch user group membership to send it over to vManage based on the user name.
- Configure Idp elements:
- Local Idp service (Access > Federation > SAML Identity Provider > Local Idp services)
- Idp identity ID, this reflects the virtual server used for Idp.
- Local Idp service (Access > Federation > SAML Identity Provider > Local Idp services)
-
- Assertion settings
-
- Attributes need to be sent within the SAML assertions, note here we added the Groups attribute that reflects the adminitrator privilege level.
-
- Security settings define the certificate and key used for SAML signing.
- Now, we need to import the Service Provider Metadata (Federation > SAML Identity Provider > External SP Connectors)
- Click on the arrow at create word and select Import from Metadata
- Select the metadata file you downloaded from vManage administrator page
- Type a service provider name (any name).
- In the sigining certificate select None.
- Click on the arrow at create word and select Import from Metadata
- After the file is successfully imported, we need to bind this SP connector the the Idp service we created.
- From (Federation > SAML Identity Provider > Local Idp services) select the Idp service we created then click on bind then selct the SP Connector we created in the previous step.
- One final step to finalize the SAML configuration elements, Configure the SAML resource that will be used in the access policy (Access > Federation > SAML Resource) and click create, then select the Idp resource referencing our Idp service.
- Create Full webtop, Access > Webtops > Webtop list
User testing
- User tries to login to Cisco vManage administration page.
- Browser is redirected to F5 APM login page, for user to provide the credentials.
- F5 APM then validates the credentials with the configured authentication service.
- F5 redirect the browser back with the SAML assertion to Cisco vManage and user is logged in successfully.
Notes
Some notes for modification might need to be done.
- Make sure to send the SAML attribute Groups as without it, vManage automatically assign the user as basic group.
- Based on your authentication service, the variable where the Group name is obtained might be different.
- When you try to upload the metadata to F5 SP connector, it will give an xml signed error, so you need to remove the part in the xml between the tags (<ds:Signature ….. </ds:Signature>) , then upload the metadata and choose signed certificate as none. The metadata will automatically create the .crt / .key files.
